Factorization of Polynomials over Finite Fields
advertisement
Factorization
of Polynomials
over Finite Fields
By Robert J. McEliece*
Abstract. If }(x) is a polynomial over GF{q), we observe (as has Berlekanip) that if
h{x)q = h(x) (mod/(x)), then/(i) = TTa gGF(9) gcd (f(x), h{x) — a). The object of this paper
is to give an explicit construction of enough such h's so that the repeated application of
this result will succeed in separating all irreducible factors of/. The h's chosen are loosely
defined by ht{x) = xi + a;»'«-f z""2 + ■• • (mod/(x)). A detailed example over GF(2) is
given, and a table of the factors of the cyclotomic polynomials *„0r) (mod p) for p = 2,
n g 250; p = 3, n S 100; p = 5, 7, n g 50, is included.
I. Introduction. The object of this paper is to present a workable algorithm for
factoring polynomials over finite fields. The existence of such an algorithm is not in
doubt since it is clearly possible to generate recursively all irreducible polynomials
of a given degree over a given finite field, and then test any polynomial for divisibility by the irreducibles, one by one; naturally such an algorithm is highly
impractical for even low degrees. It is of course frequently necessary to be able to
factor polynomials over finite fields; for example in factoring rational primes in
algebraic number fields. The algorithm to be given is quite usable; for example over
GF(2) it is effective for hand calculations up to degree 15 or so, and with the aid
of a computer it is possible to go up to degree several hundred without difficulty.
Through the use of this algorithm we have constructed a table, appearing in the
microfiche section of this issue, of the factors of xn — 1 over GF(p) for p = 2,
n á 250; p = 3, n ^ 100; p = 5, n g 50, p = 7, n g 50. This table gives the
factorization of the primes 2, 3, 5, 7 in the corresponding cyclotomic fields, and is
also of use in studying linear recurrence relations of period n over GF(p), since the
characteristic polynomials of such recurrences are precisely the divisors of xn — 1.
Published tables of irreducible polynomials over finite fields are insufficient to
factor xn — 1 for even modest values of n; for example Marsh's table [1] of polynomials irreducible over GF(2) up to degree 19 cannot be used to factor xi3 — 1 over
GF(2).
Let us finally mention that Berlekanip [2] has recently published a similar
algorithm, which shares Theorem 1, below, with ours, but proceeds in a somewhat
different direction. A brief comparison of the two algorithms is given at the end of
the next section.
II. The Algorithm. Throughout, let F = GF(q), q = pr, p a prime. If f(x) and
g(x) are polynomials over F, denote by (/, g) their greatest common divisor, which
we assume is monic. (We also adopt the convention (/, a) = 1 for a £ F.) We are
given a polynomial f(x) of degree n over F, and are asked to write / as a product of
irreducible factors. We are free to assume that f(x) is squarefree, since unless / is a
Received February 19, 1968, revised October 3, 1968.
* This paper presents the results of one phase of research carried out at the Jet Propulsion
Laboratory,
California Institute of Technology, under Contract No. NAS 7-100, sponsored by
the National Aeronautics and Space Administration.
861
License or copyright restrictions may apply to redistribution; see http://www.ams.org/journal-terms-of-use
862
ROBERT J. MCELIECE
pth power, //(/, /') will be a nontrivial squarefree divisor of/. And while the algorithm can be applied to an arbitrary polynomial, squarefree or not, to find the irreducible powers which divide it, any preliminary reduction in the degree of / which
can be made will shorten the computations. Thus f(x) is henceforth squarefree. We
further assume/(0) ^ 0. Under these circumstances there will be a smallest integer
e such that f(x)\xe — 1 and (e, p) = 1. e is called the period of /.
Theorem 1 gives a way to factor /, under certain circumstances :
Theorem 1. If h(x)q = h(x) (mod f(x)), then
fix) = II (f(x), h(x) - a) .
a&F
Proof. Let 0 be a root of / in a splitting field K. Then h(8)* = h(d) and so h(d),
being fixed by the Galois group of K/F, is an element of F. Thus every root of / is a
root of exactly one of the polynomials h(x) — a, and Theorem 1 follows.
Theorem 1 need not give a nontrivial factorization of/; if h(x) = a(modf(x)) for
some a G F, Theorem 1 is of no use. However, if Theorem 1 does give a nontrivial
factorization of /, we say that h is an f-reducing polynomial; naturally h is automatically /-reducing if 0 < deg h < n = deg /. (It will soon develop that /-reducing
polynomials always exist if/ is reducible.) The object of the rest of this section is to
indicate a method of constructing /-reducing polynomials. There are two possible
ways the algorithm could work: first, we could find just one/-reducing polynomial,
and then inductively proceed to find reducing polynomials for the resulting factors ;
or, we could produce so many /-reducing polynomials that they themselves would
reduce all resulting factors of /. We shall below give two similar families of /-reducing polynomials, corresponding to these two possibilities.
If we discover the least integer N such that xqN = x(mod/(a;)), then N = l.c.m.
(m, 7i2, • • -, nt), where/(.r) = /i(a;) fi(x) ■■• ft(x) is the factorization of/into
irreducibles with deg/fc = n*. N is the degree of the splitting field for/ Now consider
the algebra R¡ over GF(q) of polynomials y = y(x) (mod f(x)), and define the map
T(y) = y + y" + y""2+ • • • + yqN~l- Next we say that /* is a regular divisor of /
if N/nk is not divisible by p. Note that regular divisors always exist.
Theorem 2. T is a GF(q)-linear function on Rf whose rank is equal to the number
of regular divisors of F. Range (T) ÇI GF(q) if and only iff is irreducible.
Proof. By a generalization of the well-known Chinese Remainder Theorem
[3, p. 63] Rf is isomorphic to the direct sum R}%© ■• • © Rit under the map y —*
(y h 2/2i • • •> y*) with y = yk (mod fk(x)). Since the /* are irreducible, the Rfk are
fields. Let Tk be the trace on Rfk; i.e., Tk(y) = y + y« + ■■• + y>nk~\ Then for
y G Rfk, T(y) = mkTk(y) where mk = N/nk. Thus for y G R,, T(y) =
T(yi, J/2, • • -, yp) = (mPTi(yi), ■■-, mtTt(yt)), and so if mk = 0 (i.e.,/* is irregular)
the fcth coordinate of T(y) will be identically zero, and otherwise the fcth coordinate
ranges freely over GF(q). This shows that dim range (T) = number of regular
divisors. To prove the last sentence of Theorem 1, notice that in the isomorphism
Rf = Rf © • • • © Rft, GF(q) appears as the diagonal; i.e. ¿-tuples of the form (a,
a, • • -, a), a G GF(q). Clearly if t ^ 2, range (T) cannot be contained in GF(q) since
as we have seen the nonzero coordinates of range (T) vary independently from one
another. This completes the proof of Theorem 2.
Now since 1, x, x2, ■• -, xn~l are a basis for Rf over GF(q), the polynomials
License or copyright restrictions may apply to redistribution; see http://www.ams.org/journal-terms-of-use
factorization
of polynomials
over finite
fields
863
Tiix) = T(x*) = xi + xiq + ■• • + xiqN~l span range (T). Furthermore Ti(x)q =
Ti(x) (modf(x)), so we arrive at the important
Corollary
1. The polynomials Ti(x), 1| t < », include f-reducing polynomials
unless f is already irreducible.
Although the polynomials T¿ of Corollary 1 enable us to begin the factorization
of/, they are not usually able to reduce all the resulting factors. What is not difficult
to show is that the best the TVs allow is the factorization f = fi ■■■fPfj+i where
/i> h, • • ' ; fi are the regular divisors of / and /y+1 is the product of the irregular
divisors. Of course what one does in practice is compute the first/-reducing
T',-, and
then compute new T¿ for each of the resulting factors. However, it is possible to
give another set of polynomials, Rpx), which are capable of separating all the irreducible factors of/ at once.
Definition. For each i, 1 ^ i < e, let m{ be the least integer such that x' =
xiqmi (mod f(x)). (It is easy to see that m,- = orde/(e,¿)(g), but it is not necessary to
know e in order to compute the m¿.) We define
Ä,(a:) s x* + xiq 4- ■■■ + xiqmi~l (mod /(*))
.
Then the Ri clearly satisfy Rq = R (modf(x)), and so they are certainly candidates
for/-reducing polynomials; indeed Tpx) = ctRi(x) (mod f(x)) for c¿ = N/m,, so
that the ñ¿ are certainly no worse than the Tt. We now show that the ß„ 1 ^ i < e,
are capable of distinguishing all the factors of /. Two easy lemmas are required. We
shall see that it is enough to consider the special case f(x) = x" — 1.
Lemma 1. Letf(x) = xe — 1 for some e prime to p. Ifh(x)q = h(x) (mod xe — 1),
then h(x) is a GF(q)-linear combination of the polynomials Rpx).
Proof. We first describe the R,. According to the definition let m¿ be the smallest
integer such that x' = x'"™*(mod xe — 1); i.e., i = iqm* (mod e). Hence Ri = xi +
xiq + • • • + xiqm~l, and the exponents which occur are precisely the residues mod e
which are obtained from i by multiplying by various powers of q. For example with
q = 3, e = 13, the orbits are (0), (1, 3, 9), (2, 6, 5), (4, 12, 10), (7, 8, 11) and so
Ri = R3 = Rv = x + x3 + x9; R2 = R« = Rn = x2 + xb + xe, etc. Now suppose
h(x)q = h(x) (mod x" — 1); if we let h(x) = £¡ü
hkxk, then h(x)q = h(xq) =
y, hk xqk, with exponents reduced mod e, if necessary. Hence hk = hkq = hkq2= • • •
for all k, so that h(x) = ^]*Gk hk Rk(x), where the set K contains exactly one
member from each equivalence class of residues modulo e given by fci ~ fc2if and
only if ki = ki q' (mod e) for some t ^ 0.
Lemma 2. Iff is an irreducible divisor of xe — 1, then there is a polynomial g with
(xe - 1, fg) = f and (fg)q = fg (mod x° - 1).
Proof. Since (e, p) = 1, xe — 1 is squarefree, and so (/, (xe — 1)//) = 1. Hence
there is a g such that fg = 1 (mod (xe — 1)//). This implies (fg)2 = fg (mod xe — 1)
and so also (fg)q = fg (mod xe — 1). Finally from (g, (xe — 1)//) = 1 follows
(fg,* - 1) - /.
Theorem 3. Letfi andfi be distinct irreducible divisors of xe — 1. Then there is an
integer i, 1 | i < e, and distinct elements a, b G F such that
Ri(x) = a(mod fP) ,
Hence the factors fi andfi
using Ri.
can be "separated"
Ri(x) = 6(mod /2) .
by the factorization given in Theorem 1,
License or copyright restrictions may apply to redistribution; see http://www.ams.org/journal-terms-of-use
864
ROBERT J. MCELIECE
Proof. Suppose, on the contrary,
that for each i there is an element a¿: G F such
that Ri(x) = ai (modfifP). By Lemma 2 there exists h(x) such that (fih)q = fpi
(mod xe — 1) and (fih, xe — 1) = fi. Lemma 1 then shows that/i/i = YJ biRpx) for
suitable fc¿ G í1- Our assumption implies that fih = YJ &«-ßi= 23 a<^i —
b (mod/1/2) ; this implies fih = b (mod/i) so that b = 0. On the other hand/^
= 0
(mod/1/2) is in conflict with (fih, xe — 1) = /1, and the proof is complete.
Corollary.
For any squarefree f(x), the corresponding Rpx), 1 g i < e =
period (/), will separate all irreducible factors of f.
Proof. Denote by Rpe)(x) the R's associated with xe — 1. Theorem 3 shows us
that the Rpe)(x) suffice to separate all factors of xe — 1, so they certainly suffice to
separate the factors of/. On the other hand xiqTn= x' (mod xe — 1) certainly implies
that xiqm = xi (modf(x)), so that RPe)(x) = kiRi(x) (modf(x)) for suitable fc,-G F;
thus the Ri can separate all the factors of/. (In fact it is not hard to see that fc<= 1
for all i.)
The corollary to Theorem 3 shows that the Ri} 1 á i < e, will separate the
factors of/. One might hope, however, that only the Ri} 1 ^ i < n, would be needed,
but this is not always the case. For example over GF(2), if f(x) = f if if 3 with deg /1 =
deg/2 = 4, deg/3 = 8, then ßi, • ■-, Ru cannot separate/1 from/2. Hence the disadvantage in using the Ri is that it is in general necessary to compute a large
number of them in order to be sure they will separate all factors. However, in the
important special case f(x) = Xe — 1, the Ri are ideally suited. (See Example 2,
below.)
Comparison with Berlekamp's Algorithm. The central point of Berlekamp's
algorithm is that the equation h(x)q — h(x) = 0 (mod f(x)) may be regarded as a
homogeneous system of n simultaneous linear equations in the coefficients of h.
Thus Berlekamp finds /-reducing polynomials by finding the nullspace of a certain
n X n matrix over GF(q). This amounts to row-reducing annXn
matrix, which
turns out to require on the order of n3 coordinate operations over GF(q), and the
amount of calculation is not highly dependent upon the polynomial being factored.
On the other hand, the analysis of the algorithm of this paper is not so simple,
for the amount of calculation required depends very heavily on the integer N which
in turn is highly sensitive to the factorization of /. For example consider squarefree
polynomials f(x) of degree 12 over GF(2) ; if f(x) is the product of the three irreducibles of degree four, N = 4, while degrees 3, 4 and 5 give N = 60. The mean
value for N among all squarefree polynomials of degree 12 which have no linear
factor is 16.4, and it seems reasonable to conjecture that the mean value of N grows
linearly with n. (But one can show that the largest possible value of N grows faster
than exp (71a) for all a < §.) Thus to compute Tpx), one needs N successive gth
powers of xi (modulo f(x)), which requires n2N coordinate operations. And since in
general several 7\- must be computed before an/-reducing
polynomial is found, this
algorithm is no better than Berlekamp's.
However, the process of computing successive gth powers modulo / is a less complex operation than row-reducing an n X n
matrix, so that the present algorithm is, for example, easier to program.
III. Examples.
1. Let us apply the algorithm to the polynomial/(x)
= x17 4- xu 4- x13 + xn
4- x" + x10 + x9 + xs + x7 4- xb 4- x4 4- x+ 1 over GF(2).f(0)
= 1 and/ is not
License or copyright restrictions may apply to redistribution; see http://www.ams.org/journal-terms-of-use
FACTORIZATION OF POLYNOMIALS OVER FINITE
FIELDS
865
a square. Now/' = z16 + x12 + x10 + Xs + x6 + x4 + 1. We compute (/,/') by
Euclid's algorithm, abbreviating a polynomial 2Z"=o atx* by the (n + l)-tuple
(onOn-i
■ • • aiflo) :
100111111110110011
10001010101010001
101010100010001
10001010101010001
100000100010101
101010100010001
1010000000100
101010100010001
10100000001
10100000001
Hence (/, /') = x10 + x8 + 1, and an easy division gives //(/, /') = x7 + x5 + x4
+ x + 1 =/, which we now know to be squarefree. We now compute the Tpx),
and to do so it is convenient to have a list of even powers of x modulo /:
x° =0000001
x2
x4
x6
xs
=0000100
=0010000
=1000000
=110
0 110
i10 = 1 0 0 1 1 0 1
x12 = 10 10 0 10
(Berlekamp observed that the operation of squaring a polynomial
n-l
YJ diX' mod f(x)
¿=o
is the same as multiplying
powers.) We compute 7V
the vector aoßi • • • an-i by the n X n matrix of even
x
=0000010
x2
x4
xs
=0000100
=0010000
=110
0 110
x16
x32
x64
=0001011
=10
0 0 10 1
=10
0 0 0 11
a;128 =10
10 111
Z256 =0100001
■x-612 = 10 0 110
0
Ti(x) = 10 0 0 111
x210 = x, hence N = 10.
Ti(x) is therefore an /-reducing
polynomial,
so
/ = (1 0 1 1 0 0 1 1, 1 0 0 0 1 1 1) (1 0 1 1 0 0 1 1, 1 0 0 0 1 1)
must be a nontrivial
factorization:
License or copyright restrictions may apply to redistribution; see http://www.ams.org/journal-terms-of-use
866
ROBERT J. MCELIECE
10110011
10 0 0 111
11110
1
10 0 0 111
11110
1
11110
1
10110011
10 0 0 11
111111
10 0 0 11
1110
0
10 0 0 11
110 11
1 1 1
1 1 1
1 1 1
Hence/ = (1 1 1 1 0 1) (1 1 1). Of course 1 1 1 is irreducible, and it remains to investigate 11110
1. The matrix of even powers modulo 1 1 1 1 0 1 is obtained by
reducing the corresponding matrix for J by reducing mod 1 1 1 1 0 1 :
x° = 0 0 0 0 1
x2
x4
x6
xs
x
x2
x4
xs
x16
=
=
=
=
0
1
0
1
0
0
0
1
1
0
1
1
=00010
=00100
=10
0 0 0
=1110
0
=01011
Ti(x) = 00001
0
0
1
0
0
0
1
0
x3
x6
x12
x24
x«
=01000
=00111
=10
10 1
=01101
=10110
Tz(x) =00001
x2i = x, N = 5
Hence 1 1 1 1 0 1 is irreducible and so/(x) = (1 1 1 1 0 1) (1 1 1) is a product of
irreducibles. (Actually in this case we could deduce that 11110
1 was
from A7 = 10 for /, since any factorization of 1111 0 1 would have led to
N.) Next we check to see whether or not (J, /') is divisible by either
factors already found. (/, /') = (110 0 0 l)2, so we need only check for
irreducible
a different
of the two
divisibility
by 111, and it is easily found that 11 0 0 0 1 = (11 1) (1 0 1 1). Hence
fix)
= (x6 + x4 + x8 + x2 + l)(x3
+ x + l)2(x2 + x + l)3
is the complete factorization.
2. Consider the factorization of the polynomials xe — 1 over GF(p), p a prime.
There is no loss in assuming that (e, p) = 1, since if e = eip', then
xe — 1 = (xn — l)pt. In this special case, the computation of the Ä,- is very simple
(see proof of Lemma 1) ; one need only compute the orbits of the residues mod e
under the cyclic permutation group generated by i —>ip (mod e), and these orbits
contain the exponents which occur in the various Ä,-. For example with p = 3,
e = 20 the orbits are
(0), (1, 3, 9, 7) (2, 6, 18, 14) (4, 12, 16, 8) (5, 15) (10) (11, 13, 19, 17),
and so the corresponding
Ri are Äi(x) = x 4- x3 4- x7 + x9, Ri(x) = x2 + x6 -f- x14
License or copyright restrictions may apply to redistribution; see http://www.ams.org/journal-terms-of-use
FACTORIZATION OF POLYNOMIALS OVER FINITE FIELDS
867
+ x18,R3(x) = x4 + x8 + x12+ x16, etc. The algorithm of this paper, using the R/s,
was programmed on an SDS-930 computer, and produced the table appearing in the
microfiche section of this issue.
Notes on the Table in the Microfiche Section: For a given e only the irreducible
factors of xe — 1 which are not factors of xe' — 1 for e' < e are given, so what we have
really is a table of the factorization of the cyclotomic polynomials ^(x) of order e,
deg 4>e(x) = 4>(e).The complete factorization is obtained from the formula xe — 1 =
IX* I« $á(x). As is well known, the irreducible factors of <Pe(x) are all of the same
degree = ord6(p), and in fact the shape of the complete factorization may be seen
from the orbits used to calculate the Ri. In the example given above, the orbit
structure shows that x20 — 1 is a product of four irreducibles of degree 4, one of
degree 2 and two of degree one. The orbits (1, 3, 9, 7) and (11, 13, 19, 17) exhaust
the residues prime to 20, so that $2o(x) is a product of two irreducibles of degree 4.
If a polynomial/(x)
= ao + aix + ■• • + amxm divides $e(x), then so does its
reciprocal polynomial f(x) = am 4- am-ix + • • • + aaxm, and only one member of a
reciprocal pair is listed. For those e which divide an integer of the form pl + 1, each
irreducible divisor of $e(x) is self-reciprocal; this is indicated by a "P" (since the
polynomials are then palindromes) after the entry e. When e is either an odd prime
r (or twice an odd prime) and $e(x) = xM + x'-2 + ■• • + x + 1 (or xr_1 — xr_2 +
• ■• — x + 1) is irreducible, the entry "I" is given. Also, for some values of e = fg
the irreducible divisors of $e(x) may be obtained from those of period/ by replacing
x by x°. This is indicated by the entry (f-g).
Finally, for p = 2 and 3 the entries are coded. Binary polynomials are given the
customary octal representation; e.g., 7053 represents x11 + x10 + x9 + x5 + x3 +
x + 1. Ternary polynomials are coded in the base 9; e.g., 378 represents x5 + 2x3 +
x2 + 2x + 2. Polynomials for p = 5 and p = 7 are not coded; i.e., the coefficients
are read directly from the table entries.
Information Processing
Jet Propulsion Laboratory
Pasadena, California 91103
1. R. W. Marsh,
Table of Irreducible Polynomials over GF(2) through Degree 19, NSA, U.S.
Department of Commerce, Office of Tech. Service, Washington, D.C., 1951.
2. E. R. Berlekamp,
"Factoring polynomials over finite fields," Bell System Tech. J., v. 46,
1967, pp. 1853-1859. MR 36 #2314.
3. S. Lang, Algebra, Addison-Wesley, Reading, Mass., 1965. MR 33 #5416.
License or copyright restrictions may apply to redistribution; see http://www.ams.org/journal-terms-of-use
